Privacy Policy
This privacy policy covers all Pier39 properties involved in the negotiate.v1 agentic-commerce stack:
- The proxy API at
negotiate.pier39.ai - The hosted MCP endpoint at
mcp.pier39.ai - The
negotiate-mcpPython package when installed locally in an MCP-aware client (Claude Desktop, Cowork, Claude Code, ChatGPT Custom Connectors, etc.) - Any AI shopper agent (such as the Pier39 Custom GPT) that talks to the above on your behalf
Effective date: November 2025 · Last updated: May 2026
What we collect
When you use a shopper agent that calls our proxy API, we receive:
- HTTP request metadata: your IP address, user agent, request timestamp, and the URL you called. This is standard server log data, retained for up to 30 days for abuse prevention and rate limiting.
- Negotiation messages: the shopper turns you (or your AI agent) send to a store, plus the merchant agent's replies. These are stored in memory for the duration of an active chat session (up to 1 hour idle) and then discarded. We do NOT retain transcripts after a session ends.
- The product and store you negotiate with: needed to route your request to the correct storefront.
Connector telemetry (negotiate-mcp)
When you install the negotiate-mcp Python package locally in an MCP client (Claude Desktop, Cowork, Claude Code, etc.), the connector emits a fire-and-forget HTTP POST to https://pier39.fly.dev/api/telemetry on every tool invocation. This is in addition to whatever direct calls the connector makes to merchant negotiate.v1 endpoints.
Payload (a single JSON object per tool call):
| Field | Value | Why we collect it |
|---|---|---|
tool |
Name of the tool invoked (find_stores, discover_store, etc.) |
Counts of which tools get used so we know what to improve. |
brand_slug |
The store slug being negotiated with, if the call targets a pier39.fly.dev/<slug> URL (otherwise null) |
So we can see which Pier39 reference stores are getting agent traffic. Only Pier39-operated reference stores produce a non-null slug; third-party stores at their own domains never appear here. |
client |
An optional client hint from the MCP_CLIENT env var ("claude.ai", "cowork", etc., if set) |
Lets us compare adoption across clients. Empty if you don't set the env var. |
What is NOT sent in telemetry:
- The contents of any negotiation message (shopper turn, merchant reply)
- Product names, prices, quantities, or any catalog data
- The
next_urlorhistory_urlpassed tosend_message/read_history - Personal identifiers beyond what your network already exposes (IP and User-Agent, the same as any HTTP request)
- Any data that would identify you as an individual
Retention: telemetry events are stored for 30 days in aggregate, then discarded. We don't join telemetry to any other dataset.
How to disable (telemetry is on by default; set this env var to turn it off):
In a Claude Desktop or Cowork config (claude_desktop_config.json):
{
"mcpServers": {
"negotiate-agent": {
"command": "uvx",
"args": ["negotiate-mcp"],
"env": { "TELEMETRY_DISABLED": "1" }
}
}
}
For the hosted endpoint at mcp.pier39.ai, telemetry runs on Pier39's server (not on your machine) and is governed by the same retention rules above; there is no per-user opt-out for the hosted variant. If you need a no-telemetry deployment, run negotiate-mcp locally with TELEMETRY_DISABLED=1.
We do NOT collect:
- Your real name, email, payment details, or shipping address — the protocol doesn't transmit any of these
- Browser cookies, fingerprints, or cross-site tracking
- Account credentials of any kind (the proxy is unauthenticated)
- Any message content from telemetry, ever — see the table above for what's actually sent
What we do with it
- Route the negotiation: we forward your messages to the storefront's chat endpoint, get the merchant's reply, return it to your agent. That's the entire purpose.
- Enforce rate limits: per-IP and per-session caps to prevent abuse. These are enforced from the request metadata above.
- Operational debugging: server logs are reviewed when something breaks (an endpoint errors, a deploy fails). Logs are not used for any other purpose.
We do NOT:
- Sell, share, or rent any of this data to third parties
- Use negotiation content to train AI models
- Build user profiles or behavioral analytics
- Run advertising of any kind
What stores you negotiate with see
When you negotiate at a third-party store, your messages are forwarded to that store's negotiate.v1 chat endpoint. Each store has its own privacy policy and data-handling practices. The proxy passes your IP and User-Agent through to the store, plus the negotiation messages themselves.
Currently the only stores in the public directory are run by Pier39 (e.g., the Atlas Premium Appliance reference store at negotiate.pier39.ai/store). As more stores adopt the protocol, you should review their individual privacy policies before negotiating at them. Treat each negotiate.v1 store as a separate party — the protocol creates the conversation channel; it doesn't standardize their data practices.
Data retention
| Data | Retention |
|---|---|
| Active chat sessions (in memory) | Up to 1 hour idle, then discarded |
| Server access logs (request metadata) | Up to 30 days |
Connector telemetry events (tool, brand_slug, client) |
Up to 30 days, then aggregated |
| Anonymized request counts (for analytics) | Aggregated, indefinite |
We do not retain individual negotiation transcripts after a session ends.
Your rights
You can:
- Stop using the proxy at any time. No account to delete.
- Request log deletion for your IP address by emailing the contact listed below. We delete on receipt; default retention is already 30 days.
- Inspect the source code. The entire proxy is open source at github.com/sanjana-pier39/pier39-skills. Verify our claims independently.
Cookies
The proxy API at negotiate.pier39.ai/api/proxy/* does NOT set cookies. It's a stateless REST API.
The Atlas storefront at negotiate.pier39.ai/store/* does NOT set tracking cookies. It uses one HttpOnly session cookie ONLY for the password-gated negotiation viewer at /, which isn't part of the public protocol surface.
Third-party services
The proxy at negotiate.pier39.ai, the hosted MCP at mcp.pier39.ai, and the telemetry endpoint at pier39.fly.dev/api/telemetry are all hosted on Fly.io, which has its own privacy policy. Standard Fly platform metadata (network logs, machine telemetry) is governed by their terms.
The proxy uses the Anthropic Claude API to power merchant agents at Pier39-operated stores. Anthropic's usage policies and privacy policy apply to those API calls. Negotiation messages are sent to Anthropic as part of normal API usage.
When you negotiate at a third-party (non-Pier39) negotiate.v1 store, the connector talks directly to that store's endpoint. Pier39 is not in that data path; the store's own privacy policy applies. See What stores you negotiate with see above.
Children
The negotiate.v1 protocol and the Pier39 reference implementations are not directed at children under 13. We do not knowingly collect data from anyone under 13.
Changes to this policy
We'll update this page when we change anything material about data handling. The "Last updated" date at the top reflects the most recent revision. Substantive changes will be announced on our launch surfaces (GitHub releases, blog).
Contact
For privacy questions, log deletion requests, or anything else covered above, open an issue at github.com/sanjana-pier39/pier39-skills/issues or email sanjana@pier39.ai.
Summary in one paragraph
We run a proxy and hosted MCP that let AI shopping agents negotiate at compliant stores. We see your IP, the stores you visit, and the messages you send — for at most 30 days, only to keep the service running. The locally-installed negotiate-mcp connector also sends a small telemetry ping (tool name + store slug, no message content) to help us count installs; you can disable it by setting TELEMETRY_DISABLED=1 in your MCP client config. We don't sell or share data, don't train AI on your conversations, and don't run ads. Each store you negotiate at has its own privacy practices; check theirs separately. The whole thing is open source.